3

I am using Freeradius to authenticate users via an external script as shown here, that returns Accept or Reject when passed a username and password pair. 

authorize{
    update control { 
        Auth-Type := `/usr/bin/php -f /etc/raddb/yourscript.php '%{User-Name}' '%{User-Password}' '%{Client-IP-Address}'`
    }

This works properly as expected when the client is using PAP. The password is sent in %{User-Password}.

However when using CHAP or MS-CHAP it does not work, as %{User-Password} remains empty.

How can I get the plaintext password to send to my script? Alternatively, is there any other way to support CHAP/MS-CHAP?

Community
  • 1
  • 1
Pranab
  • 2,207
  • 5
  • 30
  • 50

1 Answers1

1

The %{CHAP-Password} field contains a hash of the password and the challenge, which is some magic number.

The %{CHAP-Challenge} field contains the challenge used in that session.

While you can't get the plain-text password from this in a straightforward realtime way, if you have the plaintext password you can hash it with the CHAP-Challenge as shown here using md5. This should then be equal to your CHAP-Password value.

Pranab
  • 2,207
  • 5
  • 30
  • 50
  • Could you please add code to what i have to do Auth-Type := `/usr/bin/php -f /etc/raddb/yourscript.php '%{User-Name}' '%{CHAP-Password}'` is this will send the pasword ?? – Ahmed Bermawy Apr 19 '16 at 10:04